There are multiple levels of Account Authentication, and various situations where each level may apply.
The most common levels of authentication are involved for account reviews and 2FA modification. The least common level is the most severe, implemented in case of account ownership disputes.
- LEVEL 1a: Adding authorized account access
- LEVEL 1b: 2FA downgrade
- LEVEL 1c: 2FA downgrade without access to account email
- LEVEL 2: Scamalytics / Airbnb autolock / Manual account review
- LEVEL 3a: Account ownership dispute
- LEVEL 3b: Phishing victim / Partner hack alert
- Confirmed Frauds
Use common sense and your brain, not box-checking! We've found fraudulent accounts where the client submitted every document we requested... but they were phony Photoshop-jobs.
- From the SA (page or ticket sidebar) click the BIN button to see more details about the card and its issuing bank.
- If for any reason that is not working, https://www.freebinchecker.com/bin-search confirms the issuing bank of a credit card is real and is the correct bank appearing on the card.
LEVEL 1a: Adding authorized account access
If a client wants to add an additional authorized user to their support account (someone who can receive account details and request changes), that request must be initiated from the primary login email on the Sales Account.
LEVEL 1b: 2FA Downgrade
If a client is enrolled in 2-Factor app-based authentication, they can send us an email from the account address to request a downgrade to email-based authentication if they have lost access to their app. All agents with Global Unlock will also be granted this access.
LEVEL 1c: 2FA Downgrade with no email access
This could be the result of a forgotten password or domain change.
If they no longer have access to that email address, photo of ID and Credit Card on File can be submitted through the Google Form https://forms.gle/WiJ46QtjccSEiXbP9 or Engagement can coordinate a video call and utilize other verification methods:
Methods:
- View ID on call
- Ask property addresses
- Ask cost of last monthly invoice
- Ask Airbnb account number
- (If affiliate) Ask EIN/SSN on W9
- (if Hosted Website) Screenshare and log in to dashboard of domain registrar
- Screenshare and log in to dashboard of payment processor
Record what was viewed in the Account Verification field in SA. Call must be done by Helpdesk/Engagement agent with Global Unlock or any member of Leadership.
2FA Mode can be downgraded and then the account login email changed at that time (via impersonation: My Account > Profile > Personal Info).
LEVEL 2: Scamalytics / Airbnb autolock / Manual account review
These are usually initial lockouts soon after an account is opened. This can be due to suspicious account details, or unusual activity such as connecting to Airbnb before setting up any properties. This can also be set on an existing account if they try connecting to an Airbnb account that’s already API-connected to a different OwnerRez account.
This can be bypassed (Account Verified) if a live call has been completed with the client (Engagement call or Onboarding JumpStart).
These accounts should be manually reviewed for signs of obvious scammers:
- Review SA, compare client name, email address, and business name.
- Check for property addresses being included
- Check for known spammy email address extensions (not .com/.net/.org) especially any “.host” address and outlook.com addresses.
- Look at photos, to see if all photos are generic, unidentifiable locations
- Verify property details - Are all properties in different countries? Are there any property listings in the country the account holder is from?
If there is not enough suspicion to lock the account, unlock without “setting account verification”. Note the account for a 1 week follow-up - On Hold if ticket exists, otherwise, create a ticket for this purpose. This will give them time to actually complete account details and add property information. Then a normal review can be completed at that time.
In a manual account review, you’re looking for any suspicious content. Same as above, the account details (name/email/company) should be reviewed, as well as property detail and listing content. Check for real addresses on the properties, that listings look legitimate, and also check API Integrations to see if they have multiple Airbnb accounts that the name/email looks suspicious or that have Suspended/Revoked flags.
If you are satisfied with the account status after your review, you can set the account as Verified, and unlock it if necessary. If the client wrote in about being locked but we don’t need their ID, you can reply to their ticket using the "[Support] Manual review completed" macro after you’ve unlocked it.
At any point in the process, if there is enough to give concerns of a scammer, lock the account, and create a support ticket using the "[Account] Spam account closed, ask for ID" macro.
This macro requires they submit (via Google Form) a photo of their ID or their credit card that is on file. Document numbers can be blocked in the images, except what’s necessary (as specified in the macro).
Upon receiving the document, notate that on the SA.
If the client does not want to submit photos of the documentation, Engagement can coordinate a video call where they show the document on-call and it can be logged as verified (without screenshots).
Upon receiving documentation, the SA can be flagged as Verified, in the verification note include what ID was provided.
LEVEL 3: Account ownership dispute
Account ownership disputes are the highest level of security concern. This can mean someone is trying to gain access to an account that is not theirs, or that they formerly had access to.
In the case of an ownership dispute such as a divorce, both ID and billing card must be verified and kept on file. The macro in Text Blaze titled "Account ownership dispute, ask for ID" should be utilized.
This macro requires they send in a photo of their ID and their credit card that is on file via Google Form. Document numbers can be blocked in the images, except what’s necessary (as specified in the macro).
Upon receiving the document, notate that on the SA.
If the client does not want to submit the documentation via Google Form, Engagement can coordinate a video call where they show the document on-call and a screenshot can be taken. Photos of the documents must be kept on-file.
LEVEL 3b: Phishing victim / Partner hack alert
If someone is a victim of a Phishing scam and their account is compromised, that means that the attacker has gained access to their email (for 2FA) as well. Email-based verification is not an option. The same is potentially also true when one of our channel partners (e.g. Airbnb) alerts us that they believe an account has been hacked. Note that this is not necessarily the same thing as a partner telling us that an account is fraudulent, merely that it was hacked.
WARNING:
Attackers who have compromised client email accounts, can also reset OwnerRez passwords and change the contact information in their account. However, they do not have full access to change all SA data. For this reason, it is essential to contact clients using Sales Account phone numbers - with emphasis on the oldest ones if known.
Call (phone) client, advise to change email and OwnerRez passwords first (ensure no email forwarding). Then send a Google Meet invite to video chat, see the client with their ID.
Screenshot their ID and upload it to the Verification Form so it is on record: https://forms.gle/WiJ46QtjccSEiXbP9
Once ID is confirmed, scramble password and provide reset link (send from SA > Security or provide Amnesia Page), ensure there are no unrecognized Team Access accounts (including "OwnerRez Test" or any variant) or Payment Method accounts.
Confirmed Frauds
Once an account has been positively confirmed and decided to be a fraud, take the following actions:
- Security > Set Account Verification to "Known Bad"
- Close the account. Select "Other" as the reason, and, put a full explanation in the description box, including a link to any relevant tickets.
- Place the "Fraud" tag on the SA.
- Do not issue any refunds - fraud is a violation of our TOS and does not entitle the accountholder to a refund.
- If the account is/was connected to any of our partner listing channels, and the channels have not already taken action of their own (e.g. by shutting down their account themselves and notifying us), notify leadership to inform them as a courtesy:
- Vrbo - Email to pm-support@vrbo.com mentioning Trust&Safety
- Airbnb - Email to dianna.grobstein@airbnb.com referring to Trust&Safety
- Booking.com - Email to connectivity@booking.com
- HTG - Email to partnerrelations@hometogo.com
- Stripe - Email to Stripe Support support@stripe.com
- Email to channels should include all associated listing IDs for that channel. This can be pulled using the URL https://app.ownerrez.com/settings/channels/##########/downloadpropertymapping changing ###### to the API channel ID (numeric from that channel URL)
1) Click in to API page
Sites for Checking EIN/LLC Status
Florida - sunbiz.org
California - https://bizfileonline.sos.ca.gov/search/business